Merge pull request #208091 from limwainstein/dns-ama-connector

New connector page for AMA over DNS

Author: v-ccolin

articles/sentinel/TOC.yml

@@ -240,6 +240,8 @@
         href: ama-migrate.md
       - name: CEF over Syslog sources
         href: connect-common-event-format.md
+      - name: DNS via AMA
+        href: connect-dns-ama.md
       - name: Syslog (raw) sources
         href: connect-syslog.md
       - name: Microsoft Sentinel Data Collector API
@@ -514,6 +516,8 @@
       href: cef-name-mapping.md
     - name: Windows security event sets
       href: windows-security-event-id-reference.md
+    - name: DNS over AMA reference
+      href: dns-ama-fields.md
   - name: Detection and analysis references
     items:
     - name: Top Microsoft Sentinel workbooks

articles/sentinel/ama-migrate.md

@@ -41,7 +41,7 @@ The following tables show gap analyses for the log types that currently rely on
 |**Multi-homing**     |  Collection only       |   Collection only      |
 |**Application and service logs**     |    -      |    Collection only     |
 |**Sysmon**     |    Collection only      |      Collection only   |
-|**DNS logs**     |   -       | Collection only        |
+|**DNS logs**     |   [Windows DNS servers via AMA connector](connect-dns-ama.md) (Public preview)       | [Windows DNS Server connector](data-connectors-reference.md#windows-dns-server-preview) (Public preview)        |
 
 
 ### Linux logs
@@ -57,7 +57,7 @@ The following tables show gap analyses for the log types that currently rely on
 
 ## Recommended migration plan
 
-Each organization will have different metrics of success and internal migration processes. This section provides suggested guidance to considered when migrating from the Log Analytics MMA/OMS agent to the AMA, specifically for Microsoft Sentinel.
+Each organization will have different metrics of success and internal migration processes. This section provides suggested guidance to consider when migrating from the Log Analytics MMA/OMS agent to the AMA, specifically for Microsoft Sentinel.
 
 **Include the following steps in your migration process**:
 

articles/sentinel/connect-azure-windows-microsoft-services.md

@@ -10,12 +10,14 @@ ms.custom: ignite-fall-2021
 
 # Connect Microsoft Sentinel to Azure, Windows, Microsoft, and Amazon services
 
-[!INCLUDE [Banner for top of topics](./includes/banner.md)]
-
 [!INCLUDE [reference-to-feature-availability](includes/reference-to-feature-availability.md)]
 
 Microsoft Sentinel uses the Azure foundation to provide built-in, service-to-service support for data ingestion from many Azure and Microsoft 365 services, Amazon Web Services, and various Windows Server services. There are a few different methods through which these connections are made, and this article describes how to make these connections.
 
+This article describes the collection of Windows Security Events. For Windows DNS events, learn about the [Windows DNS Events via AMA connector (Preview)](connect-dns-ama.md).
+
+## Types of connections
+
 This article discusses the following types of connectors:
 
 - **API-based** connections
@@ -131,6 +133,10 @@ You can find and query the data for each resource type using the table name that
 
 ## Windows agent-based connections
 
+> [!NOTE]
+>
+> The [Windows DNS Events via AMA connector (Preview)](connect-dns-ama.md) also uses the Azure Monitor Agent. This connector streams and filter events from Windows Domain Name System (DNS) server logs.
+
 # [Azure Monitor Agent](#tab/AMA)
 
 > [!IMPORTANT]

articles/sentinel/connect-dns-ama.md

@@ -10,8 +10,6 @@ ms.custom: ignite-fall-2021
 
 # Find your Microsoft Sentinel data connector
 
-[!INCLUDE [Banner for top of topics](./includes/banner.md)]
-
 This article describes how to deploy data connectors in Microsoft Sentinel, listing all supported, out-of-the-box data connectors, together with links to generic deployment procedures, and extra steps required for specific connectors.
 
 > [!TIP]
@@ -32,7 +30,6 @@ This article describes how to deploy data connectors in Microsoft Sentinel, list
     | **Azure Functions and the REST API** | [Use Azure Functions to connect Microsoft Sentinel to your data source](connect-azure-functions-template.md) |
     | **Syslog** | [Collect data from Linux-based sources using Syslog](connect-syslog.md) |
     | **Custom logs** | [Collect data in custom log formats to Microsoft Sentinel with the Log Analytics agent](connect-custom-logs.md) |
-    |
 
     > [!NOTE]
     > The **Azure service-to-service integration** data ingestion method links to three different sections of its article, depending on the connector type. Each connector's section below specifies the section within that article that it links to.
@@ -704,7 +701,7 @@ Configure eNcore to stream data via TCP to the Log Analytics Agent. This configu
 
 ## DNS (Preview)
 
-**See [Windows DNS Server (Preview)](#windows-dns-server-preview).**
+**See [Windows DNS Events via AMA (Preview)](#windows-dns-events-via-ama-preview) or [Windows DNS Server (Preview)](#windows-dns-server-preview).**
 
 ## Dynamics 365
 
@@ -1821,10 +1818,19 @@ Follow the instructions to obtain the credentials.
 | **Vendor documentation/<br>installation instructions** | Contact [WireX support](https://wirexsystems.com/contact-us/) in order to configure your NFP solution to send Syslog messages in CEF format. |
 | **Supported by** | [WireX Systems](mailto:[email protected]) |
 
+## Windows DNS Events via AMA (Preview)
 
+| Connector attribute | Description |
+| --- | --- |
+| **Data ingestion method** | **Azure service-to-service integration: <br>[Azure monitor Agent-based connection](connect-dns-ama.md)** |
+| **Log Analytics table(s)** | DnsEvents<br>DnsInventory |
+| **DCR support** | Standard DCR |
+| **Supported by** | Microsoft |
 
 ## Windows DNS Server (Preview)
 
+This connector uses the legacy agent. We recommend that you use the DNS over AMA connector above.
+
 | Connector attribute | Description |
 | --- | --- |
 | **Data ingestion method** | **Azure service-to-service integration: <br>[Log Analytics agent-based connections](connect-azure-windows-microsoft-services.md?tabs=LAA#windows-agent-based-connections) (Legacy)** |
@@ -1879,8 +1885,9 @@ We recommend installing the [Advanced Security Information Model (ASIM)](normali
 | **DCR support** | Standard DCR |
 | **Supported by** | Microsoft |
 
-
-See also: [**Security events via legacy agent**](#security-events-via-legacy-agent-windows) connector.
+See also: 
+- [Windows DNS Events via AMA connector (Preview)](connect-dns-ama.md): Uses the Azure Monitor Agent to stream and filter events from Windows Domain Name System (DNS) server logs.
+- [**Security events via legacy agent**](#security-events-via-legacy-agent-windows) connector.
 
 ### Configure the Security events / Windows Security Events connector for anomalous RDP login detection
 

articles/sentinel/data-connectors-reference.md

@@ -0,0 +1,52 @@
+---
+title: Microsoft Sentinel DNS over AMA connector reference - available fields and normalization schema
+description: This article lists available fields for filtering DNS data using the Windows DNS Events via AMA connector, and the normalization schema for Windows DNS server fields.
+author: limwainstein
+ms.author: lwainstein
+ms.topic: reference
+ms.date: 09/01/2022
+---
+
+# DNS over AMA connector reference - available fields and normalization schema
+
+Microsoft Sentinel allows you to stream and filter events from your Windows Domain Name System (DNS) server logs to the `ASimDnsActivityLog` normalized schema table. This article describes the fields used for filtering the data, and the normalization schema for the Windows DNS server fields.
+
+The Azure Monitor Agent (AMA) and its DNS extension are installed on your Windows Server to upload data from your DNS analytical logs to your Microsoft Sentinel workspace. You stream and filter the data using the [Windows DNS Events via AMA connector](dns-ama-fields.md).
+
+## Available fields for filtering
+
+This table shows the available fields. The field names are normalized using the [DNS schema](#asim-normalized-dns-schema).  
+
+|Field name  |Values  |Description  |
+|---------|---------|---------|
+|EventOriginalType   |Numbers between 256 and 280   |The Windows DNS eventID, which indicates the type of the DNS protocol event.    |
+|EventResultDetails   |• NOERROR<br>• FORMERR<br>• SERVFAIL<br>• NXDOMAIN<br>• NOTIMP<br>• REFUSED<br>• YXDOMAIN<br>• YXRRSET<br>• NXRRSET<br>• NOTAUTH<br>• NOTZONE<br>• DSOTYPENI<br>• BADVERS<br>• BADSIG<br>• BADKEY<br>• BADTIME<br>• BADALG<br>• BADTRUNC<br>• BADCOOKIE  |The operation's DNS result string as defined by the Internet Assigned Numbers Authority (IANA).  |
+|DvcIpAdrr  |IP addresses    |The IP address of the server reporting the event. This field also includes geo-location and malicious IP information.    |
+|DnsQuery     |Domain names (FQDN)    |The string representing the domain name to be resolved.<br>• Can accept multiple values in a comma-separated list, and wildcards. For example:<br>`*.microsoft.com,google.com,facebook.com`<br>• Review these considerations for [using wildcards](connect-dns-ama.md#use-wildcards). |
+|DnsQueryTypeName      |• A<br>• NS<br>• MD<br>• MF<br>• CNAME<br>• SOA<br>• MB<br>• MG<br>• MR<br>• NULL<br>• WKS<br>• PTR<br>• HINFO<br>• MINFO<br>• MX<br>• TXT<br>• RP<br>• AFSDB<br>• X25<br>• ISDN<br>• RT<br>• NSAP<br>• NSAP-PTR<br>• SIG<br>• KEY<br>• PX<br>• GPOS<br>• AAAA<br>• LOC<br>• NXT<br>• EID<br>• NIMLOC<br>• SRV         |The requested DNS attribute. The DNS resource record type name as defined by IANA.  |
+
+## ASIM normalized DNS schema 
+
+This table describes and translates Windows DNS server fields into the normalized field names as they appear in the [DNS normalization schema](dns-normalization-schema.md#schema-details).
+
+|Windows DNS field name  |Normalized field name  |Type  |Description |
+|---------|---------|---------|---------|
+|EventID     |EventOriginalType          |String         |The original event type or ID. |
+|RCODE     |EventResult          |String         |The outcome of the event (success, partial, failure, NA). |
+|RCODE parsed     |EventResultDetails          |String         |The DNS response code as defined by IANA.  |
+|InterfaceIP      |DvcIpAdrr          |String         |The IP address of the event reporting device or interface. |
+|AA     |DnsFlagsAuthoritative         |Integer         |Indicates whether the response from the server was authoritative. |
+|AD    |DnsFlagsAuthenticated          |Integer         |Indicates that the server verified all of the data in the answer and the authority of the response, according to the server policies. |
+|RQNAME      |DnsQuery          |String         |The domain needs to be resolved. |
+|QTYPE     |DnsQueryType         |Integer         |The DNS resource record type as defined by IANA. |
+|Port     |SrcPortNumber         |Integer         |Source port sending the query. |
+|Source      |SrcIpAddr         |IP address          |The IP address of the client sending the DNS request. For a recursive DNS request, this value is typically the reporting device's IP, in most cases, `127.0.0.1`. |
+|ElapsedTime |DnsNetworkDuration |Integer |The time it took to complete the DNS request. |
+|GUID |DnsSessionId |String |The DNS session identifier as reported by the reporting device. | 
+
+## Next steps
+
+In this article, you learned about the fields used to filter DNS log data using the Windows DNS events via AMA connector. To learn more about Microsoft Sentinel, see the following articles:
+- Learn how to [get visibility into your data, and potential threats](get-visibility.md).
+- Get started [detecting threats with Microsoft Sentinel](detect-threats-built-in.md).
+- [Use workbooks](monitor-your-data.md) to monitor your data.